Over the past four years, U.S. banks have replaced most traditional magnetic stripe credit cards with new EMV cards – short for Europay MasterCard Visa – that store data on an embedded computer microchip that makes the cards more difficult to counterfeit. During the same time, retailers have replaced most magnetic-stripe card readers with new chip card readers.
Throughout the rest of the world, EMV means chip-and-PIN, which requires users to enter a secret personal identification number to approve a transaction the same as withdrawing cash from an ATM. But the U.S. cards introduced in 2015 were chip-and-signature, so transactions were still approved with an easily forged signature. In 2018, the major credit card companies eliminated the requirement for a signature without replacing it with a more sophisticated means of authentication. While the chip can reduce counterfeit fraud, the absence of a PIN leaves the cards with no protection against the fraudulent use of lost or stolen cards and without backup in cases where the chip malfunctions or is circumvented. NRF believes chip-only or chip-and-signature offers only half the security EMV is capable of and has repeatedly called on banks to issue chip-and-PIN cards instead.
While other authentication technology may become available, chip-and-PIN has been used in some countries for more than a decade and is currently the world standard for credit card security. NRF believes U.S consumers deserve the same level of security as shoppers elsewhere.
Why it matters to retailers
Credit card security – a large component of overall data security – is one of retailers’ top priorities. U.S. retailers complained for years that traditional credit cards were fraud-prone, saying their magnetic stripes were easy to copy and that signatures were of little value in proving the person using the card was the legitimate cardholder. With magnetic stripe, banks usually absorbed the cost when a fraudulent transaction was made with a counterfeit card, but retailers were stuck with the cost when lost or stolen cards were involved, amounting to billions of dollars a year. As a result, retailers demanded chip-and-PIN, which protects banks, retailers and consumers alike by stopping both counterfeit and lost/stolen card fraud. When banks began issuing chip-and-signature cards instead, retailers were concerned that the opportunity to take full advantage of chip technology had been missed.
The switch to EMV has come at considerable expense to retailers because merchants, not the card industry, have been required to pay the cost of the new equipment, software and installation – an average of $2,000 per chip reader or more than $30 billion nationwide. In addition, changes in fraud liability rules unilaterally imposed by the card industry in 2015 mean retailers face increased liability if fraud is committed with a chip card and the retailer does not have a chip reader. Retailers without a chip reader are now usually responsible for counterfeit fraud if a chip card is used, and remain responsible for most lost/stolen fraud when either a chip card or traditional card is used.
NRF advocates for more secure credit cards
NRF has argued that chip cards without PINs do not provide sufficient security and that a PIN alone – even without the chip – could more effectively stop both counterfeit and lost/stolen fraud. NRF has also said it is unfair for retailers to have to pay the cost of new EMV equipment that has reduced fraud costs for banks but not retailers.
Card companies have touted statistics showing that EMV has reduced counterfeit card fraud but have said little about whether it has had any impact on lost/stolen fraud. And a 2017 LexisNexis study showed an increase in online card fraud, where the chip plays no role because only card numbers – not a physical card – are required.
Despite the concerns, retail adoption of chip cards has been widespread. NRF surveys show 99 percent of mid-size and large retailers had chip readers in operation by the end of 2017 and that 81 percent of small retailers had done the same.
In the spring of 2018, all four major credit card companies – Visa, MasterCard, American Express and Discover – stopped requiring signatures on credit card transactions. (Retailers still have the option of requiring their customers to sign.) NRF responded that dropping signatures would not jeopardize security but that the card industry should take the next step and require the use of PINs.
The move to EMV was prompted, in part, by data breaches in which credit card numbers were stolen. But the chip only confirms that the card is not counterfeit and does nothing to protect card information stored in databases or being transmitted for payment processing. With the chip failing to address those issues, retailers have moved forward on sophisticated security steps of their own. An NRF survey found that by the end of 2019 80 percent of retailers expect to have adopted point-to-point encryption, which protects card data being transmitted. In addition, 89 percent are adopting tokenization, which protects information stored in a database. Some retailers have said the numbers would be higher if not for resources diverted to chip cards.
In 2018, NRF helped form the Secure Payments Partnership, a new coalition intended to improve the security of the U.S. payments system ranging from credit and debit cards to emerging technology. The group – which includes financial services companies such as the Star and Shazam ATM networks along with retailers for the first time – has urged the card industry to make PIN or more advanced authentication available.
Among other proposals, the SPP has called for open payment card security standards rather than those mandated by the Payment Card Industry Security Standards Council, which is controlled by the major credit card companies. In 2016, the Federal Trade Commission sought comments on whether the council’s regulations should be incorporated into an update of its “Safeguards Rule,” which requires financial institutions to maintain comprehensive data security programs. NRF argued against doing so, saying the council is an “inappropriate exercise of market power” and “fails to meet any of the standards established by the federal government” for impartial standard setting.